﻿using System;
using System.Collections.Generic;
using System.Text.RegularExpressions;
using System.Web;

namespace ZhongKeSite.Common
{
    public class AntiSqlInject
    {
        public static AntiSqlInject Instance = new AntiSqlInject();

        /// <summary>
        /// 初始化过滤方法
        /// </summary>
        static AntiSqlInject()
        {
            //SqlKeywordsArray.AddRange(SqlSeparatKeywords.Split('|'));
            SqlKeywordsArray.AddRange(Array.ConvertAll(SqlCommandKeywords.Split('|'), h => h + " "));
            SqlKeywordsArray.AddRange(Array.ConvertAll(SqlCommandKeywords.Split('|'), h => " " + h));
        }

        private const string SqlCommandKeywords = " and | exec | execute | insert | select | delete | update | count | chr | mid | master | " +
                                                  " char | declare | sitename | net user | xp_cmdshell | or | create | drop | table | from | grant | use | group_concat | column_name | " +
                                                  "information_schema.columns | table_schema | union | where | select | delete | update | orderhaving | having | by | count | truncate | like ";

        private const string SqlSeparatKeywords = "'|;|\'|/*|%|#";

        private static readonly List<string> SqlKeywordsArray = new List<string>();

        /// <summary>
        /// 是否安全
        /// </summary>
        /// <param name="input">输入</param>
        /// <returns>返回</returns>
        public bool IsSafetySql(string input)
        {
            if (string.IsNullOrWhiteSpace(input))
            {
                return true;
            }
            //input = HttpUtility.UrlDecode(input).ToLower();

            input = HttpUtility.UrlDecode(input);

            foreach (var sqlKeyword in SqlKeywordsArray)
            {
                if (input.IndexOf(sqlKeyword, StringComparison.OrdinalIgnoreCase) >= 0)
                {
                    return false;
                }
            }
            return true;
        }

        /// <summary>
        /// 返回安全字符串
        /// </summary>
        /// <param name="input">输入</param>
        /// <returns>返回</returns>
        public string GetSafetySql(string input)
        {
            if (string.IsNullOrEmpty(input))
            {
                return string.Empty;
            }
            if (IsSafetySql(input)) { return input; }
            //input = HttpUtility.UrlDecode(input).ToLower();
            input = HttpUtility.UrlDecode(input);

            foreach (var sqlKeyword in SqlKeywordsArray)
            {
                if (input.IndexOf(sqlKeyword, StringComparison.OrdinalIgnoreCase) >= 0)
                {
                    input = Regex.Replace(input, sqlKeyword,string.Empty, RegexOptions.IgnoreCase);
                }
            }
            return input;
        }

    }
}
